This policy describes how OmniStrat AI ("we," "us," "OmniStrat") handles personal information when you use the OmniStrat Router, the Quant Terminal, the Openworld, or the marketing site at omnistrat.ai. We have written it the way we would want one written for us: plain language, no dark patterns, clearly enumerated.

1. What we collect

Account data

• Email and name when you create a Passport.
• Password hash using PBKDF2-SHA256 at 600,000 iterations (OWASP 2023+ guidance). We never store your password in clear text and cannot recover it.
• Account metadata: creation date, last sign-in, sign-in IP, subscription tier, entitlements.

Product use

• Router: API request counts, provider used, model used, token counts, cost in USD. We do not retain prompt or response bodies beyond ephemeral audit-trail purposes (see Section 3).
• Quant Terminal: the trades you place go directly to your broker. We do not see, store, or have ability to see your broker credentials. Trade history shown in the Terminal is fetched live from your broker on each session.
• Openworld: save states, character progression, choices, faction membership, in-game messages.

Site analytics

• Cloudflare Web Analytics — privacy-preserving, no cookies, no fingerprinting. Aggregated page views and country only.
• Standard request logs at our edge (IP, user agent, path) retained for security and abuse detection for 30 days.

2. What we never do

• We do not sell your data. Not to anyone, not under any circumstance.
• We do not run ad networks, embed ad pixels, or share data with advertisers.
• We do not read your AI prompts or completions outside the cases described in Section 3.
• We do not require third-party trackers to use the site. The only third-party requests served from our pages are Google Fonts (CSS only, no cookies) and Cloudflare Web Analytics.

3. How we use what we collect

• To provide the service. Authentication, billing, request routing, save state, multiplayer matchmaking.
• To enforce safety. The Router uses provider-side moderation on outbound content and may temporarily quarantine prompts that trip safety classifiers. Quarantined content is retained for 7 days for appeal, then deleted.
• To audit security incidents. Our append-only audit chain records security-relevant events (auth, billing, admin actions). Retained for 90 days unless required longer by law or active investigation.
• To bill you. Stripe processes payments. Stripe receives the data needed to bill (email, payment method, amount). They do not receive your prompts or save data.

4. Encryption at rest

Personal identifiers (email, phone, address) are encrypted with AES-GCM-256 in an envelope pattern with HKDF subkey separation by purpose, and a HMAC-SHA256 blind index for lookups. The encryption keys are held outside the database. An operator-level database breach does not yield plaintext PII. Game save data uses a separate, save-data-specific key (SAVE_ENCRYPTION_KEY) so a Router-side incident does not expose Openworld saves.

5. Data residency

Our default deployment runs on Cloudflare's global edge with origin Postgres in US-East. Workers Durable Objects, KV, R2, and Vectorize indexes are co-located with the request when possible. For Cathedral customers (institutions), we deploy a single-tenant stack in the region you choose (EU, US, APAC, or sovereign).

6. Your rights

Regardless of where you live, you have the right to:

• Access a copy of your data. Email privacy@omnistrat.ai.
• Correct inaccurate information.
• Delete your account. Sign-in, open your Passport, and use the delete-account link, or email us. Deletion propagates within 30 days to backups; deletion of audit-chain records is bound by the 90-day retention.
• Export your data in machine-readable form. R2 bucket of encrypted JSON, decryptable with a key we give you in-band.
• Object to any processing not strictly necessary to deliver the service.

If you are in the EU/UK, GDPR/UK-GDPR applies. If you are in California, CCPA/CPRA applies. If you are anywhere else and have a request, we will honor it on the same timeline regardless.

7. Cookies

We use a single first-party cookie called omnistrat_token when you sign in to the Quant Terminal. The OmniStrat Router and Openworld use the OmniStrat Passport JWT in localStorage rather than cookies, so requests sent to api.omnistrat.ai from the marketing site do not carry session cookies. No analytics cookies. No marketing cookies. No third-party cookies of any kind.

8. Children

OmniStrat AI is not for users under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, email privacy@omnistrat.ai and we will delete it.

9. Changes to this policy

If we materially change how we handle your data we will email account holders before the change takes effect and post the new policy with a new "Last updated" date. Non-material changes (typos, clarifications) may be made without notice.

10. Contact

Privacy questions, deletion requests, and DSAR submissions go to privacy@omnistrat.ai. Security disclosures go to security@omnistrat.ai. General contact at hello@omnistrat.ai.